v2.0.3

Features:

• Feature #1943 Added a flag to suppress "no package sources found" error.
• Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

New Contributors

• @jacj9 made their first contribution in #1860
• @ikkebr made their first contribution in #1830
• @LeonLow97 made their first contribution in #1882
• @osv-robot made their first contribution in #1912
• @laojianzi made their first contribution in #1922
• @Avgor46 made their first contribution in #1916

Full Changelog: v2.0.2...v2.0.3